New "ErrorSafe" variant??

[Corporal Clegg]

Hi. First off, thanks for Spybot and all the work you all do to make it such an excellent program.

The other day, my ZoneAlarm went off while I was surfing the web asking me if I wanted to allow "UWAS6_0001_N68M2301NetInstaller.exe" to access the internet. Naturally, I said NO. I had Kaspersky Personal AV running at the time and it gave no alerts (I use the extended database files for Kaspersky that usually catch malware/spyware). I located the .exe file named above in my %WINDIR%\DOWNLOADED PROGRAM FILES\ folder and deleted it immediately. I probably should have saved it, but I didn't. Later on that same day, when I was using msconfig to adjust some startup items, I noticed an entry in there that was checked to run at startup and it was for the UWAS6_0001_N68M2301NetInstaller.exe file I had previously deleted. I unchecked the setting and ran a Spybot scan to see if it found anything. The scan came up "clean", which was a relief. I ran a HiJackThis scan as well and it had no entries in it that weren't supposed to be there. I figured since the ZoneAlarm stopped it from connecting to whatever website it was trying to connect to, I hadn't gotten "infected". I had only picked up the installer.

Now today I decided to use msconfig again and saw that the startup entry for UWAS6_0001_N68M2301NetInstaller.exe was still there but unchecked, so I figured I'd go into regedit and clean up any registry references to that file I could find. But before I removed any registry references to this file, I decided to update my Spybot with the latest detections. After updating, I ran a scan. Spybot found a CoolWWWSearch.XPlugin: Tracking cookie, which I fixed, but nothing else. No mention of the reg key associated with UWAS6_0001_N68M2301NetInstaller.exe. So I did a google on that file name and got back just 1 hit, for this URL:

http://virusinfo.prevx.com/viruscent...GRP=4785000015

If you scroll down the page, you'll come to the reference to UWAS6_0001_N68M2301NetInstaller.exe and what they say it's actions are:

"Rogue.ErrorSafe: Installs programs. Invokes dll components. Creates Run Keys. Runs temporary programs. Communicates with web sites using httpout protocols. Has outbound communications. Creates registry entries. Creates run keys for known malware."

I've never heard of this "Prevx" company, or their product before so I have know way of knowing how valid their information is. According to their site, this variant was first seen January 26th and it was on the afternoon of the 27th that I came across it in my web surfing. I'm not sure what site I was at when I picked up the installer, but I remember I had been looking for themes for my cell phone display. Perhaps it was one of those sites.

I'm not sure if the Spybot team know about this, but I decided to register and post just in case you weren't aware of it yet. Just a little info I have about this is listed below.


File Name: UWAS6_0001_N68M2301NetInstaller.exe

File loaded into %WINDIR%\DOWNLOADED PROGRAM FILES\

Created the following registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NI.UWAS6_0001_N68M2301]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UWAS6_0001_N68M2301NetInstaller"
"hkey"="HKLM"
"command"="\"C:\\WINNT\\Downloaded Program Files\\UWAS6_0001_N68M2301NetInstaller.exe\" -nag "
"inimapping"="0"

ZoneAlarm logs it as "WinSoftware Installer". ZA entries related to this:

Code:

17:21:50 -5:00 GMT     WinSoftware Installer was temporarily blocked from connecting to the Internet (66.244.254.178:HTTP)

17:25:11 -5:00 GMT     WinSoftware Installer was temporarily blocked from connecting to the Internet (66.244.254.239:HTTP)

17:35:32 -5:00 GMT     WinSoftware Installer was temporarily blocked from connecting to the Internet (66.244.254.239:HTTP)

I probably deleted the UWAS6_0001_N68M2301NetInstaller.exe before 17:45:00 -5:00 GMT. Just a guess since it looks like it tries to connect to the net at 10 minute intervals.


--- System information ---
Windows XP (Build: 2600) Service Pack 2


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-10-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-27 Includes\Beta.sbi (*)
2005-02-16 Includes\Beta.uti (*)
2006-01-27 Includes\Cookies.sbi (*)
2006-01-27 Includes\Dialer.sbi (*)
2006-01-27 Includes\Hijackers.sbi (*)
2006-01-27 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-01-27 Includes\Malware.sbi (*)
2003-04-28 Includes\plugin-ignore.ini
2006-01-27 Includes\PUPS.sbi (*)
2006-01-27 Includes\Revision.sbi (*)
2006-01-27 Includes\Security.sbi (*)
2006-01-27 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-27 Includes\Trojans.sbi (*)



As I said before, I'm pretty sure I didn't get the full effect of this "thing" since ZoneAlarm was able to stop it before it could download any other files it uses to install itself on a users system.

If you need any more information about this, please let me know and I'll respond with whatever info I have that may help you.

I hope this is the right format for submitting spyware reports on this forum. I searched the boards beforehand and didn't find any posts about this particular problem. Thanks again for Spybot and to it's entire team for making computers safer.


Corporal Clegg

[tashi]

Hello Corporal Clegg and welcome to the forum.

Thank you for reporting and also your kind words.

If you would like someone to check the system just to make sure it's clean Before you post a log

Start a topic here:
Malware Forum

If you ever have a file to submit you can zip and send it here:
detections(AT)spybot.info

Thank you!

[martymar69]

my wife picked up this same thing while surfing pregnancy web sites. i have not deleted it yet...

[tashi]

Could you submit it zipped please.

detections(AT)spybot.info

[DeadBolt]

I too have been graced with this program, I sent a SFX RaR file to detections(AT)spybot.info. I renamed the .exe while I investigate the program. The properties for this program shows it was created
Monday, January 23, 2006, 1:50:46 PM, I was at work at that time so I can't tell you what site I "caught" this program from.
I want to thank your staff for the hard work in the past and what I'm sure will be continuing good work in the future. Good luck!

Since I've posted this my firewall shows that the program is still trying to connect to 2 different ip address's even after I renamed it and moved it to a different directory.

[tashi]

Quote:

Originally Posted by DeadBolt

Since I've posted this my firewall shows that the program is still trying to connect to 2 different ip address's even after I renamed it and moved it to a different directory.

Someone could take a look at the system if you like.

Before you post a log, and who will advise you.

Start a topic here:
Malware Forum

[postpossum]

Hi,

ZA seems to pick up this thing on my computer too, and it seems to be trying to make an outbound connection every hour or so. Norton AV doesn't pick it up, and neither does Spybot.. Any thoughts or fixes yet? Thanks.

[tashi]

Hello.

It would help if we saw logs.

Either a Spybot-S&D log posted into this thread:

• Open SpyBot, check for and get any updates available.
• Close all browsers, check for problems and fix everything found in red
• Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
  
• Uncheck[ ] do not report disabled or known legitimate Items.
• uncheck[ ] Include a list of services in report.
• Uncheck[ ] Include uninstall list in report.
  
• Now select (near the top) view report.
• Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report please.

Or a HJT log in the malware forum:
Before you post a log, and who will advise you.

Start a topic here:
Malware Forum

Regards.

[DeadBolt]

Here's my Spybot log and the series of hits it makes on my firewall.

goodluck!

[LonnyRJones]

DeadBolt, Hi

Quote:

-- Spybot-S&D version: 1.2 ---

The current version of spybot is 1.4
Open spybot 1.2 to the immunize page and uninstall the bad download blocker, close the program and uninstall it. then Restart the PC, and delete SpyBots folder in program files,
usualy > C:\Program Files\Spybot - Search & Destroy
Then download and install 1.4 once thats done, check for updates, then check for problems, fix everything found, always reboot if SpyBots needs to, to finish the cleanup.
http://www.safer-networking.org/index.php?page=tutorial
Download found here
http://www.safer-networking.org/en/download/index.html

After that has been done start a topic in opur malware area and post a hijackthis log, there will probaly be more to do..
http://forums.spybot.info/showthread.php?t=288